\subsection{x86 Architecture}
\begin{frame}
    \frametitle{A 50,000ft View of the x86 Architecture}
    \begin{block}{}
        The main components of the x86 include the CPU, memory, disk and registers. The CPU operates on a fetch, decode and execute cycle.
    \end{block}
    \begin{itemize}
        \item Applications are implemented with individual \alert{assembly} instructions
        \item Individual instructions can:
            \pedbullet{Reference / manipulate memory}
            \pedbullet{Perform calculations}
            \pedbullet{Determine the \alert{next} instruction to execute}
        \item A \textit{single} line of high level code usually translates to \textit{multiple} instructions
        \item The x86 platform is considered \alert{CISC} vs RISC
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Introduction to Registers}
    \begin{itemize}
        \item There are 8 general purpose registers on 32-bit x86 platforms
        \item Each register is 32 bits long
        \item Register access is lowest latency (vs. memory or disk)
        \item As registers are valuable, compilers try to be intelligent with their usage
            \pedbullet{This factor comes into play during reversing}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{x86 General Purpose Registers}
    \begin{itemize}
        \item EAX
            \pedbullet{Volatile, accumulator, return value of functions}
        \item EBX
            \pedbullet{Non-volatile, base (indirect addressing)}
        \item ECX
            \pedbullet{Volatile, Counter, loop instructions}
        \item EDX
            \pedbullet{Volatile}
    \end{itemize}
    \begin{center}
        \begin{tabular}{|c|c|c|c|c|c|c|c|}                                     \hline
            8bits & 8bits & 8bits & 8bits & 8bits & 8bits & 8bits & 8bits   \\ \hline
            \multicolumn{8}{|c|}{\cellcolor{lightblue}RAX}                  \\ \hline
            & & & & \multicolumn{4}{|c|}{\cellcolor{red}EAX}                \\ \hline
            & & & & & & \multicolumn{2}{|c|}{\cellcolor{green}AX}           \\ \hline
            & & & & & & \cellcolor{orange}AH & \cellcolor{yellow}AL         \\ \hline
        \end{tabular}
    \end{center}
\end{frame}

\begin{frame}
    \frametitle{General Purpose Registers Continued}
    \begin{itemize}
        \item ESI
            \pedbullet{Non-volatile, string source}
        \item EDI
            \pedbullet{Non-volatile, string destination}
        \item ESP / EBP
            \pedbullet{Stack pointer (volatile) / frame pointer (non-volatile)}
        \item EIP
            \pedbullet{Instruction pointer}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{The Stack}
        \begin{definition}
            The stack is an abstract data structure supported by a combination of hardware and software features.
        \end{definition}
        \begin{itemize}
            \item Stack operations are \alert{L}ast \alert{I}n \alert{F}irst \alert{O}ut (\alert{LIFO})
            \item Think of it as a stack of dishes
            \item The \alert{\texttt{PUSH}} instruction places a 32-bit value on the stack
            \item The \alert{\texttt{POP}} instruction removes a 32-bit value from the stack
            \item The stack is used to pass parameters to functions
            \item The stack is used to maintain call chain state
            \item In Windows, the stack is used to store the \alert{S}tructured \alert{E}xception \alert{H}andling (\alert{SEH}) chain
        \end{itemize}
\end{frame}

\begin{frame}[fragile, label=debug]
    \frametitle{The Stack: Illustrated}
    \begin{columns}[T]
        \column{.5\textwidth}
            \begin{tiny}
            \begin{semiverbatim}
                0x43ce83b8: "pedram"
                0x43ce83bf: "amini"

                main:
                    \alert<2>{0x01 push 0xdeadbeef}
                    \alert<3>{0x02 pop eax}
                    \alert<4>{0x03 push 27}
                    \alert<5>{0x04 push 0x43ce83b8}
                    \alert<6>{0x05 push 0x43ce83bf}
                    \alert<7>{0x06 call copy_name}
                    \alert<17>{0x07 add esp, 0xc}
                    ...

                copy_name:
                    \alert<8>{0x20 push ebp}
                    \alert<9>{0x21 mov ebp, esp}
                    \alert<10>{0x22 sub esp, 0x100}
                    \alert<11>{0x23 lea eax, [ebp+0xc]}
                    \alert<12>{0x24 push eax}
                    \alert<13>{0x25 lea eax, [ebp-0x20]}
                    \alert<14>{0x26 push eax}
                    \alert<15>{0x27 call strcpy}
                    ...
                    \alert<16>{ret}
            \end{semiverbatim}
            \end{tiny}
        \column{.5\textwidth}
            \begin{tiny}
            \texttt{
            \begin{tabular}{r|c|l}
                              0x12FFFFFC & \cellcolor{gray}                                 0x00000000 & top of stack                       \\
                              0x12FFFF00 & \cellcolor{gray}                                 0x00000000 & end of SEH chain                   \\
                              0x12FFFF04 & \cellcolor{gray}                                 0x12345678 & SEH handler                        \\
                \only<2>     {0x12FFEFF8 & \cellcolor{yellow}                               0xDEADBEEF &                                    \\}
                \only<4-16>  {0x12FFEFF8 & \cellcolor{yellow}                               0x00000019 & 27                                 \\}
                \only<5-16>  {0x12FFEFF0 & \cellcolor{yellow}                               0x43CE83B8 & \emph{pedram}                      \\}
                \only<6-16>  {0x12FFEFEC & \cellcolor{yellow}                               0x43CE83BF & \emph{amini}                       \\}
                \only<7-15>  {0x12FFEFE8 & \cellcolor{red}                                  0x00000007 & return addr.                       \\}
                \only<8-15>  {0x12FFEFE4 & \cellcolor{orange}                               0x12FFEFF8 & saved frame                        \\}
                \only<10-15> {0x12FFEFE0 & \cellcolor{lightblue}\only<10-14>{ ....}\only<15-16>{ ..MA} & local vars                         \\}
                \only<10-15> {0x12FFEFC0 & \cellcolor{lightblue}\only<10-14>{ ....}\only<15-16>{ RDEP} & \only<14-15>{\alert{$\leftarrow$}} \\}
                \only<10-15> {0x12FFEEE0 & \cellcolor{lightblue}                                  .... &                                    \\}
                \only<12-15> {0x12FFEEDC & \cellcolor{yellow}                               0x43CE83B8 & \emph{pedram}                      \\}
                \only<14-15> {0x12FFEED8 & \cellcolor{yellow}                               0x12FFEFC0 & dst buff                           \\}
            \end{tabular}
            }
            \end{tiny}
    \end{columns}
\end{frame}


\subsection{Microsoft Windows OS}
\begin{frame}
    \frametitle{Microsoft Windows Memory Layout}
    \begin{columns}[T]
        \column{.5\textwidth}
            \begin{block}{Memory Space}
                \pause
                \uncover<+->{$2^{32}$}
                \uncover<+->{$= 4,294,967,296$ bytes} \\
                \uncover<+->{$ / 1024^3$}
                \uncover<+->{$= \alert<+->{4}$ \alert<.->{gigabytes}}
            \end{block}
        \column{.5\textwidth}
            \uncover<.->{\begin{block}{Memory Separation}
                The NT based platforms typically split the available 4 gigabytes of addressable memory into two halves; kernel and user.
            \end{block}}
    \end{columns}
    \uncover<+->{
        \begin{itemize}
            \item Each process "sees" it's own 2 gigabytes of virtual memory
                \pedbullet{This is possible thanks to \alert{memory paging}}
                \pedbullet{Processes can not "break out" of their memory space}
            \item The virtual address space is broken in \alert{pages}
                \pedbullet{Pages are typically \alert{4,096} bytes in size}
                \pedbullet{Memory permissions are applied at the page level}
        \end{itemize}
    }
\end{frame}

\begin{frame}
    \frametitle{Typical Memory Layout Diagram}
    \begin{columns}[T]
    \column{.5\textwidth}
        \begin{center}
        \begin{tiny}
        \texttt{
            \begin{tabular}{r|c|}
                             0x00000000 & \cellcolor{gray}USER SPACE                  \\
                             &                                                        \\
                \uncover<5->{0x00010000 & \cellcolor{yellow}Environment Variables     \\}
                             &                                                        \\
                \uncover<6->{0x00030000 & \cellcolor{orange}Heap                      \\}
                             &                                                        \\
                \uncover<7->{0x0012f000 & \cellcolor{red}Stack of Main Thread         \\}
                \uncover<6->{0x00150000 & \cellcolor{orange}Heap                      \\}
                             &                                                        \\
                \uncover<2->{0x00400000 & \cellcolor{green}Main Executable            \\}
                \uncover<2->{& \cellcolor{green}                                      \\}
                             &                                                        \\
                \uncover<8->{0x00d8d000 & \cellcolor{red}Stack of Thread 2            \\}
                             &                                                        \\
                \uncover<4->{0x71ab0000 & \cellcolor{green}WS2\_32.DLL                \\}
                             &                                                        \\
                \uncover<3->{0x7c800000 & \cellcolor{green}KERNEL32.DLL               \\}
                             &                                                        \\
                \uncover<3->{0x7c900000 & \cellcolor{green}NTDLL.DLL                  \\}
                             &                                                        \\
                \uncover<1->{0x7f000000 &
                \\}
                             0x80000000 & \cellcolor{gray}KERNEL SPACE                \\
            \end{tabular}
        }
        \end{tiny}
        \end{center}
    \column{.5\textwidth}
        \begin{block}{On Process Launch}
            \begin{itemize}
                \item<2-> Main image loaded into memory
                \item<3-> Required DLLs loaded into memory
                \item<5-> Environment variables mapped into memory
                \item<6-> Process heaps initialized
                \item<7-> Process stacks initialized
            \end{itemize}
        \end{block}
    \end{columns}
\end{frame}

\begin{frame}
  \frametitle{The Memory Layout Diagram}
  \begin{center}
    \pgfimage[height=7cm]{images/architecture_and_os/memory_layout}
  \end{center}
\end{frame}

\begin{frame}
    \frametitle{The Heap}
    \begin{itemize}
        \item Static allocations mostly originate from the stack
        \item The heap is the source of dynamic memory allocation
        \item There are multiple heap implementations
        \item Memory for the heap is allocated from user space
        \item The heap is essentially a number of doubly linked lists, organized by size
        \item Allocated blocks are removed from the free lists
        \item De-allocated blocks are placed back into the free lists
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{SEH: Structured Exception Handling}
    \begin{itemize}
        \item Exception handlers are simply a registered function to refer to when "something bad happens"
        \item You can for example register an exception handler to handle attempts to divide by zero
        \item You can register more then one exception handler
        \item The \alert{chain} of exception handlers are stored on the stack
        \item When an exception occurs, the chain is walked to find an appropriate handler
        \item There is a catch-all handler, that's what generates the "Windows has detected a general protection fault" dialog
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Exercise}
    \begin{itemize}
        \item OllyDbg
            \pedbullet{Attach to or load calc.exe or notepad.exe}
            \pedbullet{Hit 'M' and verify memory layout}
        \item LordPE
            \pedbullet{Load calc.exe or notepad.exe}
            \pedbullet{Explore the various PE fields and directories}
            \pedbullet{We'll walk through the PE file format in depth in a minute}
    \end{itemize}
\end{frame}
